Please amend the present application as follows: 
Claims 

The following is a copy of Applicant's claims that identifies language being added 

with underlining (" ") and language being deleted with strikethrough (" "), as is 

applicable: 

1. (Currently amended) An apparatus for performing network routing, the 
apparatus comprising: 

authentication logic configured to receive packets sent from a source agent to an 
endpoint of a tunnel and to determine whether a security association of a packet received 
corresponds to said source agent, the tunnel being configured by said source agent in 
accordance with a network protocol; 

decision logic configured to make a routing decision for each authenticated packet 
at least in part without regard to contents of a pavload of the packet, the routing decision 
being that is constrain e d based on the security association of the authenticated packet; and 

routing logic configured to select a routing destination for each authenticated 
packet and to route the authenticated packet to the selected routing destination, the 
routing destination selection being based at least partially on said routing decision. 

2. (Original) The apparatus of claim 1, wherein the routing destination 
selection is based solely on said routing decision. 
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3. (Original) The apparatus of claim 1, further comprising: 
decapsulation logic configured to decapsulate received packets, wherein when the 

decapsulation logic decapsulates a packet, the security association of the packet is 
preserved and contents of a payload of an authenticated packet are routed to the selected 
routing destination. 

4. (Original) The apparatus of claim 1, wherein the network protocol is 
Internet Protocol Security (IPSec) Protocol (EPSEP). 

5. (Previously presented) The apparatus of claim 1, wherein the network 
protocol is a public protocol. 

6. (Previously presented) The apparatus of claim 1, wherein the network 
protocol is a private protocol. 

7. (Original) The apparatus of claim 1, wherein said routing decision to route 
at least a portion of contents of a payload of an authenticated packet to a layer 3 device, 
wherein layer 3 corresponds to a particular layer of Open Systems Interconnect (OSI) 
networking model. 

8. (Original) The apparatus of claim 7, wherein the layer 3 device is a router. 
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9. (Original) The apparatus of claim 1, wherein said routing decision is a 
decision to route at least a portion of contents of a payload of an authenticated packet to a 
layer 2 device, wherein layer 2 corresponds to a particular layer of Open Systems 
Interconnect (OSI) networking model. 

10. (Original) The apparatus of claim 9, wherein the layer 2 device is a switch. 

1 1 . (Original) The apparatus of claim 10, wherein the switch is comprised by a 
Virtual Local Area Network (VLAN). 

12. (Original) The apparatus of claim 1, wherein the decision made by the 
decision logic is a decision as whether to route at least a portion of a payload contents of 
an authenticated packet to a layer 2 device or to a layer 3 device, wherein layers 2 and 3 
correspond to particular layers of Open Systems Interconnect (OSI) networking model. 

13. (Currently amended) The apparatus of claim 1, wherein said routing 
decision is made by said decision logic without any regard to the contents of a payload of 
the authenticated packet. 

14. (Original) The apparatus of claim 1, wherein an authentication ID is 
derived from said security association, and wherein said routing decision is constrained 
based on said authentication ID. 
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15. (Currently amended) A method for performing network routing, the 
method comprising: 

authenticating received packets sent from a source agent to an endpoint of a tunnel 
by determining whether a security association of a received packet corresponds to the 
source agent that sent the packet, the tunnel being configured by said source agent in 
accordance with a network protocol; 

making a routing decision for an authenticated packet at least in part without 
regard to contents of a payload of the packet , the routing decision being constrained based 
on the security association of the authenticated packet; 

selecting a routing destination for a packet based at least partially on the routing 
decision; and 

routing the authenticated packet to the selected routing destination. 

16. (Previously presented) The method of claim 15, further comprising: 
decapsulating the packets, wherein when the packet is decapsulated, contents of a 

payload of the authenticated packet are decapsulated and the security association of the 
packet is preserved. 

17. (Original) The method of claim 15, wherein the network protocol is 
Internet Protocol Security (IPSec) Protocol (IPSEP). 
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18. (Original) The method of claim 15, wherein said routing decision is a 
decision to route at least a portion of payload contents of the authenticated packet to a 
layer 3 device, layer 3 corresponding to a particular layer of an Open Systems 
Interconnect (OSI) networking model. 

19. (Original) The method of claim 18, wherein the layer 3 device is a router. 

20. (Original) The method of claim 15, wherein said routing decision is a 
decision to route at least a portion of payload contents of an authenticated packet to a 
layer 2 device, layer 2 corresponding to a particular layer of an Open Systems 
Interconnect (OSI) networking model. 

21 . (Original) The method of claim 20, wherein the layer 2 device is a switch. 

22. (Original) The method of claim 21, wherein the switch is comprised by a 
Virtual Local Area Network (VLAN) switch. 

23. (Original) The method of claim 15, wherein the routing decision is a 
decision as to whether to route at least a portion of payload contents of an authenticated 
packet to a layer 2 device or to a layer 3 device, wherein layers 2 and 3 correspond to 
particular layers of an Open Systems Interconnect (OSI) networking model. 



24. (Currently amended) A computer program for performing network routing 
in accordance with a private network security technique, the computer program being 
embodied on a computer readable medium, the computer program comprising: 

a first code segment, the first code segment authenticating received packets sent 
from a source agent to a tunnel endpoint to determine whether a security association of a 
received packet corresponds to the source agent that sent the packet, the tunnel being 
configured by said source in accordance with a network protocol; 

a second code segment, the second code segment making a routing decision for an 
authenticated packet at least in part without regard to contents of a payload of the packet , 
the routing decision being constrained based on the security association of the 
authenticated; and 

a third code segment, the third code segment selecting a routing destination for the 
authenticated packet based at least partially on the routing decision made by the second 
code segment. 

25. (Original) The computer program of claim 24, further comprising: 

a fourth code segment that is executed before the second code segment, the fourth 
code segment performing a decryption algorithm that attempts to decrypt the 
authenticated packet prior to the second code segment making a routing decision, wherein 
when the decryption algorithm is successful at decrypting the authenticated packet, 
contents of a payload of the authenticated packet are decrypted and the security 
association of the security association of the decrypted packet is preserved for use by the 
second code segment in making the routing decision. 
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26. (Previously presented) A method for routing a packet, comprising: 
receiving a packet at a tunnel endpoint; 

authenticating the packet; 

preserving a security association of the packet as an authentication ID; 

making a routing determination for routing contents of the packet by looking up 
the authentication ID in a table to determine a destination IP address to which the packet 
is to be routed. 

27. (Previously presented) The method of claim 26, wherein the routing 
determination is made without regard to an internal destination address contained within a 
payload of the packet. 

28. (Previously presented) The method of claim 26, wherein the packet is an 
Internet Protocol Security (IPSec) packet. 

29. (Previously presented) The method of claim 26, further comprising routing 
the packet to an IP address found in the table. 

30. (Previously presented) The method of claim 26, further comprising 
broadcasting the packet to all IP addresses found in the table that pertain to a given 
destination. 
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